-## defiface NAME NETCLASS:NETWORK/MASK...
-##
-## Declares a network interface NAME and associates with it a number of
-## reachable networks. During source classification, a packet arriving on
-## interface NAME from an address in NETWORK/MASK is classified as coming
-## from to NETCLASS. During destination classification, all packets going to
-## NETWORK/MASK are classified as going to NETCLASS, regardless of interface
-## (which is good, because the outgoing interface hasn't been determined
-## yet).
-##
-## As a special case, the NETWORK/MASK can be the string `default', which
-## indicates that all addresses not matched elsewhere should be considered.
-ifaces=:
-defaultiface=none
-allnets= allnets6=
-defiface () {
- set -e
+## defnet NET CLASS
+##
+## Define a network. Follow by calls to `addr', `forwards', etc. to define
+## properties of the network. Networks are processed in order, so if their
+## addresses overlap then the more specific addresses should be defined
+## earlier.
+defnet () {
+ net=$1 class=$2
+ addword allnets $net
+ eval net_class_$1=\$class
+}
+
+## addr ADDRESS/LEN ...
+##
+## Define addresses for the network being defined. ADDRESSes are in
+## colon-separated IPv6 or dotted-quad IPv4 form.
+addr () {
+ for i in "$@"; do
+ case "$i" in
+ *:*) addword net_inet6_$net $i ;;
+ *) addword net_inet_$net $i ;;
+ esac
+ done
+}
+
+## forwards NET ...
+##
+## Declare that packets from this network are forwarded to the other NETs.
+forwards () {
+ eval "net_fwd_$net=\"$*\""
+}
+
+## noxit NET ...
+##
+## Declare that packets from this network must not be forwarded to the other
+## NETs.
+noxit () {
+ eval "net_noxit_$net=\"$*\""
+}
+
+## host HOST ADDR ...
+##
+## Define the address of an individual host on the current network. The
+## ADDRs may be full IPv4 or IPv6 addresses, or offsets from the containing
+## network address, which is a simple number for IPv4, or a suffix beginning
+## with `::' for IPv6. If an IPv6 base address is provided for the network
+## but not for the host then the host's IPv4 address is used as a suffix.
+host () {